Re: Passwordless root shell is offered when boot problem occurs.
Thank You for Your time and answer, Arno: >> Thank You for Your time and answer, Arno: >> >> > a) locking the root account (passwd -l root), which will give you >> > "sulogin: root account is locked, starting shell" >> >> That's the point - sudo is used on the system and the root account is >> blocked. > >Que? >http://lists.debian.org/debian-user/2011/12/msg00075.html Sorry. I did misunderstand You there. What is 'que'? How I can set password when root account is blocked - in favor of requiring sudo user's password? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4edf0c55.c820cc0a.64ba.0...@mx.google.com
Re: Passwordless root shell is offered when boot problem occurs.
Sthu Deus (sthu.d...@gmail.com on 2011-12-06 01:18 +0700): > Thank You for Your time and answer, Arno: > > > a) locking the root account (passwd -l root), which will give you > > "sulogin: root account is locked, starting shell" > > That's the point - sudo is used on the system and the root account is > blocked. Que? http://lists.debian.org/debian-user/2011/12/msg00075.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111206201500.3ef0f...@neminis.intra.loos.site
Re: Passwordless root shell is offered when boot problem occurs.
On Lu, 28 nov 11, 13:47:59, Sthu Deus wrote: > Good time of the day. > > Once mount error occurs while OS booting, I get root shell - w/o even > asking for password... How I can change the behavior (to ask for > password before granting root shell)? Hi Sthu, From reading the thread I understand your goal is to secure your box even in case of physical access. Since you provided little information I will assume you want to prevent somebody like a room mate to use the computer and possibly also access files without your knowledge. A BIOS and/or grub password will help in most cases, unless the persons would have to possibility to reset the BIOS (needs opening the case) or physically installing your harddisk in another computer. In such case partial/full disk encryption would help. Hope this helps, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Passwordless root shell is offered when boot problem occurs.
Thank You for Your time and answer, Arno: > a) locking the root account (passwd -l root), which will give you > "sulogin: root account is locked, starting shell" That's the point - sudo is used on the system and the root account is blocked. So, what's the strategy to protect systems in such cases as mine when root account is blocked? Why, for example, the sudoers users are no asked for their passwords, if You know? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4edd0aee.c820cc0a.2104.9...@mx.google.com
Re: Passwordless root shell is offered when boot problem occurs.
On Fri, 02 Dec 2011 14:04:15 +0700, Sthu Deus wrote: > Thank You for Your time and answer, Camaleón: > You mean "Busybox"? :-? >>> >>> I do not know - it appears when something wrong during boot process. >> >>It should be printed out, something like: >> >>*** >>BusyBox v1.10.2 (Debian x-x-x-x) Built-in shell (xxx) *** > > Oh, no. It's not my case. Nor I have the packages installed. Hmmm... are you sure? It is installed by default in all of my Lenny systems and also in wheezy. sm01@stt008:~$ dpkg -l | grep busy ii busybox 1:1.10.2-2 Tiny utilities for small and embedded system >>If that's what you get it cames out when there is a problem when >>booting, for instance, a missing kernel module for the hard disk >>controller, a bad hard disk identifier at GRUB's menu file, etc. So >>instead having you no option at all and display a black screen (because >>the system is halted), we are presented with the BusyBox. > > That's great, just why not to protect it w/ a password prompt? - Or > again, "nobody listening, no exploits are available", etc?! ;o) It is very easy to access into a system when you stand in front of it, I mean, when you have physical access to the computer. Unless you have secured GRUB with a password, you can append "init=/bin/sh" to the kernel line at boot menu and then again, no password will be prompted for you. >>> That's good, but how I can provide password prompting? I remember in >>> past times there was a prompt for Ctrl-d to press and type root's >>> password. >> >>I think that's a different thing :-? > > For sure, it is. > >>For example, when you go fall into "init 1" you are prompted with root's >>password to get into the maintenance console or continue by pressing >>Ctrl +D, so here you are indeed asked for root's password because you >>are inside the full shell and not inside the limited BusyBox >>environment. > > So, where I get into - in my case - having no busybox installed, yet > password-less root shell is granted? 8-0 I'm not sure about the scenario you are describing... I think busybox is installed by default and comes up when there are boot problems. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.12.03.14.55...@gmail.com
Re: Passwordless root shell is offered when boot problem occurs.
Sthu Deus (sthu.d...@gmail.com on 2011-12-03 17:53 +0700): > >[..] A standard Debian config > >should not offer a passwordless root shell unless you explicitly ask > >for it, > > Oh, no! I didn't! :) > > Do You have an idea where to look for that? - I have no ideas, > absolutely. Just as a pointer, you can get a passwordless root shell by: - interrupting initramfs: specify break=init on the kernel command line - overriding init: specify init=/bin/bash on the kernel command line - configuring inittab: either add a bootwait line spawning /bin/*sh or tell getty to bypass login with -l /bin/*sh - setting SULOGIN=yes in /etc/default/rcS, and either a) locking the root account (passwd -l root), which will give you "sulogin: root account is locked, starting shell" b) deleting root's password (passwd -d root), which will give you "Press enter for maintenance(or type Control-D to continue)" All four methods above will give you an unconditional root shell. Since yours only spawns on error, none of the above applies. > > On other hand, if we pursue this idea - that physical access makes a > host absolutely undefended, - we can let root account to be > password-less - for why worrying? Setting a root password will still protect you from remote users that have access to login programs (such as su). Locking the root account reduces the attack surface to your sudoers configuration. Regards, Arno -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111203150013.1fa5b...@neminis.intra.loos.site
Re: Passwordless root shell is offered when boot problem occurs.
Thank You for Your time and answer, Joel: >Recently had fun with Fedora, when it didn't like the way I specified >my HDs, it would drop me into the ctrl-d prompt, but I couldn't go >anywhere beyond that. Any key I pressed, including ctrl-d, would cycle >me another ctrl-d prompt. When I had the prompt - I had no problems w/ getting root shell since I correctly entered its password. But situations probably differ in what has been mounted - root or of secondary importance (like /usr) partitions. If / partition was absent/not-mounted then, what did provide the prompt itself - the linux (kernel)? Were there any parameters passed to kernel at boot (in grub or whatever loader You used)? >There's a half-fixed bug on that still over there, but I'm not >interested in testing any further, so I simply changed my fstab to >spec the drives by UUIDs. (I always forget the command for getting the >UUID from the drive. These days, I list /dev/disk/something and use >the extra information. I think that's the same on Debian. Yeah, I'm >logged in on Fedora right now.) Similar issues, different symptoms, >I'm thinking. It'd try to offer my the password prompt, but it wasn't >mounting the root drive, so there was no /bin/passwd to run, and it >just exceptioned it's way back to the ctrl-d prompt. Yea, it seems logical. >Anyway, the question I'd ask is whether you can force this behavior if >your configuration is correct. (By current definition of correct, >which appears to be to refrain from trying to mount /dev/sdb4 and such >in your fstab, and mount UUID=long-hex-string instead. Or >/dev/mapper/vol-group for LVM volumes.) And, I guess you imply that >you can mount your drives in this password-less shell, but is that the >case? Yes, the drives are mounted OK. I just skipped one - of secondary importance to boot process when ended up w/ password-less root shell - I was amazed - how easily it is for Debian to get the shell - just boot it skipping a single partition and You are there - whole the system is under Your control - no need even to take off the drive or boot own OS from other media! -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4eda1949.8872cd0a.0b8a.a...@mx.google.com
Re: Passwordless root shell is offered when boot problem occurs.
Thank You for Your time and answer, Arno: >> Hmm. I thought everybody has the same OS behavior in such >> condition... And the problem here is only improper/default >> configuration. > >That could very well be, but I haven't had a boot problem in years >(well, except when trying out systemd). A standard Debian config should >not offer a passwordless root shell unless you explicitly ask for it, Oh, no! I didn't! :) Do You have an idea where to look for that? - I have no ideas, absolutely. >Early boot messages should be found in /var/log/boot, but bootlogd >seems very hit&miss on my systems. Filesystem checks are logged >in /var/log/fsck. Same here. >It's not about emergency situations, although it certainly can be used >as such. It's about accesss: if anyone has physical access to your >machine, there are so many ways to access your system that it is silly >to protect against one of them. That's right. But it is just a link in a chain of undertakings to protect the computer totally or, to make one's life harder. :) On other hand, if we pursue this idea - that physical access makes a host absolutely undefended, - we can let root account to be password-less - for why worrying? I understand the things You are speaking about - but I want ot all I can to make it more secure - even having physical access to the host. >So yes, protecting yourself from physical attacks by insisting on a >root password is abnormal behaviour. How are you going to prevent an >attacker from opening your PC and connecting the harddisk to his own >machine? Probably, to supply a dynamite? :) - I think it goes beyond Debian security, doesn't it? >> - and in case I want to commit >> what I have targeted, I have to develop the solution myself (that is >> there is no a config. file that I might simply turn on the password >> prompt for root shell in such cases)? > >In short, yes. If you really want to be that paranoid (and there are >good reasons for it, especially on laptops), you should be looking at >encryption as your solution (dm-crypt, truecrypt, bitlocker), not >passwords. Oh, OK... Thanks again. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ed9ffc7.c48dcd0a.3323.8...@mx.google.com
Re: Passwordless root shell is offered when boot problem occurs.
Sthu Deus (sthu.d...@gmail.com on 2011-12-02 15:17 +0700): > > >From here it's all guesswork. You'd need to provide a full bootlog up > >to the point where the shell is started to get any meaningful > >answers. > > Hmm. I thought everybody has the same OS behavior in such condition... > And the problem here is only improper/default configuration. That could very well be, but I haven't had a boot problem in years (well, except when trying out systemd). A standard Debian config should not offer a passwordless root shell unless you explicitly ask for it, but I can think of at least four ways to get such a root shell -- not including misconfiguration, bugs or alternative boot devices. > > I have grepped through my logs on HDD partition that caused the boot > stop (because one partition was not mounted that set to be auto > mounted) - I don't think you'll find anything in the system logs. From the little information you have given, it is clear that the system has not fully started, so there is no reason to assume that /var/log is accessible or that syslog is running. Early boot messages should be found in /var/log/boot, but bootlogd seems very hit&miss on my systems. Filesystem checks are logged in /var/log/fsck. > > In general, am I correct in understanding the situation, that what I > gonna do is abnormal behavior in Debian distro., and to have the root > password-less shell in "emergency" cases is OK for some (to > developers / security team) reasons It's not about emergency situations, although it certainly can be used as such. It's about accesss: if anyone has physical access to your machine, there are so many ways to access your system that it is silly to protect against one of them. So yes, protecting yourself from physical attacks by insisting on a root password is abnormal behaviour. How are you going to prevent an attacker from opening your PC and connecting the harddisk to his own machine? > - and in case I want to commit > what I have targeted, I have to develop the solution myself (that is > there is no a config. file that I might simply turn on the password > prompt for root shell in such cases)? In short, yes. If you really want to be that paranoid (and there are good reasons for it, especially on laptops), you should be looking at encryption as your solution (dm-crypt, truecrypt, bitlocker), not passwords. Regards, Arno -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111203000543.44f5a...@neminis.intra.loos.site
Re: Passwordless root shell is offered when boot problem occurs.
Thank You for Your time and answer, Arno: >From here it's all guesswork. You'd need to provide a full bootlog up >to the point where the shell is started to get any meaningful answers. Hmm. I thought everybody has the same OS behavior in such condition... And the problem here is only improper/default configuration. I have grepped through my logs on HDD partition that caused the boot stop (because one partition was not mounted that set to be auto mounted) - yet I did not find any statements on the mounting problems and therefore I could not find the place in log files to see the messages around the moment the stop or root password-less shell occurs. What should I look for (the event recorded in the logs)? >> >the like. But if you find yourself needing to secure against that, >> >then you must also set a bootloader password, lock out alternative >> >boot methods, set a BIOS password and put your machine behind lock >> >and key. Do you really need that? >> >> At least I want that. Do You know how to do that? >> > >I know the theory, that is all I know. The Debian initramfs is >generated from scripts in /usr/share/initramfs-tools. To add files to >it, you need to create a file in /etc/initramfs-tools/hooks that >copies the required files (/sbin/sulogin, /etc/passwd and /etc/shadow) >into the initramfs, and then you need to edit the panic() function >scipts/functions to spawn sulogin instead of a shell. In general, am I correct in understanding the situation, that what I gonna do is abnormal behavior in Debian distro., and to have the root password-less shell in "emergency" cases is OK for some (to developers / security team) reasons - and in case I want to commit what I have targeted, I have to develop the solution myself (that is there is no a config. file that I might simply turn on the password prompt for root shell in such cases)? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ed889b7.c798cc0a.1b8c.e...@mx.google.com
Re: Passwordless root shell is offered when boot problem occurs.
Thank You for Your time and answer, Camaleón: >>>You mean "Busybox"? :-? >> >> I do not know - it appears when something wrong during boot process. > >It should be printed out, something like: > >*** >BusyBox v1.10.2 (Debian x-x-x-x) Built-in shell (xxx) >*** Oh, no. It's not my case. Nor I have the packages installed. >If that's what you get it cames out when there is a problem when >booting, for instance, a missing kernel module for the hard disk >controller, a bad hard disk identifier at GRUB's menu file, etc. So >instead having you no option at all and display a black screen >(because the system is halted), we are presented with the BusyBox. That's great, just why not to protect it w/ a password prompt? - Or again, "nobody listening, no exploits are available", etc?! ;o) >> That's good, but how I can provide password prompting? I remember in >> past times there was a prompt for Ctrl-d to press and type root's >> password. > >I think that's a different thing :-? For sure, it is. >For example, when you go fall into "init 1" you are prompted with >root's password to get into the maintenance console or continue by >pressing Ctrl +D, so here you are indeed asked for root's password >because you are inside the full shell and not inside the limited >BusyBox environment. So, where I get into - in my case - having no busybox installed, yet password-less root shell is granted? 8-0 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ed87872.8872cd0a.0b8a.e...@mx.google.com
Re: Passwordless root shell is offered when boot problem occurs.
Sthu Deus (sthu.d...@gmail.com on 2011-12-01 23:54 +0700): > > >fsck errors should drop into a sulogin shell, which asks for the > >password. The only way you could get a root shell is if your root > >device cannot be found. In that case, there is no way to ask for a > >password because there is no password file. > > Well. There is root device - if You mean / mount point. Otherwise > whence sulogin comes from? sulogin should be in /sbin on your filesystem, but that is not the first filesystem where programs are started from. Google "early userspace" and "initramfs' for background info. From here it's all guesswork. You'd need to provide a full bootlog up to the point where the shell is started to get any meaningful answers. > > >If you must, there might be a way to get what you want by adding > >files to the initramfs by dropping a file > >in /etc/initramfs-tools/hooks/ or > > Ahh. I have the dir. empty. > > >the like. But if you find yourself needing to secure against that, > >then you must also set a bootloader password, lock out alternative > >boot methods, set a BIOS password and put your machine behind lock > >and key. Do you really need that? > > At least I want that. Do You know how to do that? > I know the theory, that is all I know. The Debian initramfs is generated from scripts in /usr/share/initramfs-tools. To add files to it, you need to create a file in /etc/initramfs-tools/hooks that copies the required files (/sbin/sulogin, /etc/passwd and /etc/shadow) into the initramfs, and then you need to edit the panic() function scipts/functions to spawn sulogin instead of a shell. Regards, Arno -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111202000209.2394c...@neminis.intra.loos.site
Re: Passwordless root shell is offered when boot problem occurs.
On Thu, 01 Dec 2011 23:49:00 +0700, Sthu Deus wrote: > Thank You for Your time and answer, Camaleón: > >>> Once mount error occurs while OS booting, I get root shell - w/o even >>> asking for password... >> >>You mean "Busybox"? :-? > > I do not know - it appears when something wrong during boot process. It should be printed out, something like: *** BusyBox v1.10.2 (Debian x-x-x-x) Built-in shell (xxx) *** If that's what you get it cames out when there is a problem when booting, for instance, a missing kernel module for the hard disk controller, a bad hard disk identifier at GRUB's menu file, etc. So instead having you no option at all and display a black screen (because the system is halted), we are presented with the BusyBox. >>> How I can change the behavior (to ask for password before granting >>> root shell)? >> >>If you refer to busybox, AFAIK is not a pure root's shell but a self- >>contained, separated and limited environment to run some diagnostic >>tools within your machine so you can easily recover the system when >>something is broken. > > That's good, but how I can provide password prompting? I remember in > past times there was a prompt for Ctrl-d to press and type root's > password. I think that's a different thing :-? For example, when you go fall into "init 1" you are prompted with root's password to get into the maintenance console or continue by pressing Ctrl +D, so here you are indeed asked for root's password because you are inside the full shell and not inside the limited BusyBox environment. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.12.01.17.05...@gmail.com
Re: Passwordless root shell is offered when boot problem occurs.
Thank You for Your time and answer, Arno: >> Once mount error occurs while OS booting, I get root shell - w/o even >> asking for password... How I can change the behavior (to ask for >> password before granting root shell)? >> > >Do you get a message 'root account locked, starting shell?' No. >fsck errors should drop into a sulogin shell, which asks for the >password. The only way you could get a root shell is if your root >device cannot be found. In that case, there is no way to ask for a >password because there is no password file. Well. There is root device - if You mean / mount point. Otherwise whence sulogin comes from? >If you must, there might be a way to get what you want by adding files >to the initramfs by dropping a file in /etc/initramfs-tools/hooks/ or Ahh. I have the dir. empty. >the like. But if you find yourself needing to secure against that, then >you must also set a bootloader password, lock out alternative boot >methods, set a BIOS password and put your machine behind lock and key. >Do you really need that? At least I want that. Do You know how to do that? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ed7b162.4713cc0a.158a.5...@mx.google.com
Re: Passwordless root shell is offered when boot problem occurs.
Thank You for Your time and answer, Camaleón: >> Once mount error occurs while OS booting, I get root shell - w/o even >> asking for password... > >You mean "Busybox"? :-? I do not know - it appears when something wrong during boot process. >> How I can change the behavior (to ask for password before granting >> root shell)? > >If you refer to busybox, AFAIK is not a pure root's shell but a self- >contained, separated and limited environment to run some diagnostic >tools within your machine so you can easily recover the system when >something is broken. That's good, but how I can provide password prompting? I remember in past times there was a prompt for Ctrl-d to press and type root's password. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ed7b006.42a4cc0a.043b.5...@mx.google.com
Re: Passwordless root shell is offered when boot problem occurs.
Sthu Deus (sthu.d...@gmail.com on 2011-11-28 13:47 +0700): > Once mount error occurs while OS booting, I get root shell - w/o even > asking for password... How I can change the behavior (to ask for > password before granting root shell)? > Do you get a message 'root account locked, starting shell?' fsck errors should drop into a sulogin shell, which asks for the password. The only way you could get a root shell is if your root device cannot be found. In that case, there is no way to ask for a password because there is no password file. If you must, there might be a way to get what you want by adding files to the initramfs by dropping a file in /etc/initramfs-tools/hooks/ or the like. But if you find yourself needing to secure against that, then you must also set a bootloader password, lock out alternative boot methods, set a BIOS password and put your machine behind lock and key. Do you really need that? Regards, Arno -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2028171700.61ae3...@neminis.intra.loos.site
Re: Passwordless root shell is offered when boot problem occurs.
On Mon, 28 Nov 2011 13:47:59 +0700, Sthu Deus wrote: > Once mount error occurs while OS booting, I get root shell - w/o even > asking for password... You mean "Busybox"? :-? > How I can change the behavior (to ask for password before granting root > shell)? If you refer to busybox, AFAIK is not a pure root's shell but a self- contained, separated and limited environment to run some diagnostic tools within your machine so you can easily recover the system when something is broken. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.11.28.15.16...@gmail.com
